On Fri 18 July 2003 17:35, Joerg Schilling wrote: > >Old-Return-Path: <[EMAIL PROTECTED]> > > > >http://www.securiteam.com/exploits/5ZP0C2AAAC.html > > This is just a very very old one that has been fixed on May 3th > (3.5 months before the posting you you refer has been made). > > > It could thus nopt be called a cdrecord vulnerability but > probably a Slackware problem (if the guys on Slackware do not > react on bug alerts within 3 1/2 months).
Slackware 8.1 ships with cdrtools-1.11a24, Slackware 9 and Slackware-current both have cdrtools-2.0. I haven't been able to find any cdrtools-2.01a5 packages on the official Slackware FTP sites (I used the dl.xs4all.nl mirror, which is usually up-to-date and complete). So, what we have here is someone installing an old version with a known vulnerability, writing an exploit for it, and bragging about it. Either that or it took him 3 1/2 months more than J�rg to figure out that there was indeed a vulnerability and he didn't bother to check if it had been fixed before publishing his exploit. Lourens -- GPG public key: http://home.student.utwente.nl/l.e.veen/lourens.key -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
